FortiAnalyzer not connected-fortinet-FortiOS

error
best-practices
fortios
fortinet
FortiAnalyzer not connected-fortinet-FortiOS
0
#1

FortiAnalyzer not connected-fortinet-FortiOS

Vendor: fortinet

OS: FortiOS

Description:
A Fortinet firewall needs to keep a connection with a FortiAnalyzer, otherwise certain services, such as logging, might be impacted. Indeni will alert if the connection is down.

Remediation Steps:
|1. Login via ssh to the Fortinet firewall and run the FortiOS command “get fortianalyzer-connectivity status” to review the connection status and remote disk usage with the FortiAnalyzer unit.
|2. Ensure that the correct log source has been selected in the Log Settings, under GUI Preferences of the Fortinet firewall.
|3. Check the routing and test ping connectivity between the Fortinet Firewall and the FortiAnalyzer (if icmp is allowed).
|4. Check that the TCP port 514 is allowed between the Fortinet firewall and the FortiAnalyzer. For more information check this link: http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ports-and-protocols-54/FortiAnalyzer.htm#
|5. Check that the DNS lookup on the Fortinet Firewall is operational in case that the FortiAnalyzer’s FQDN needs to be resolved. Try to ping the FQDN of the FortiAnalyzer from the firewall.
|6. Check if the firmware for the firewall and FortiAnalyzer units is compatible. Review the firmware release notes for the compatibility information.
|7. If the problem persists, contact Fortinet Technical support at https://support.fortinet.com/ for further assistance.

How does this work?
This script logs in to the FortiGate via SSH and retrieves the connectivity status with the FortiAnalyzer by using the FortiOS command “get system fortianalyzer-connectivity status”. This command provides information about the connectivity status and disk usage of the FortiAnalyzer.

Why is this important?
This metric is used to identify the connectivity status of the FortiGate device with the FortiAnalyzer. A FortiAnalyzer unit can log all FortiGate activity that is available for logging, including archiving. Check the link below for more information: https://docs.fortinet.com/uploaded/files/3421/logging-reporting-54.pdf

Without Indeni how would you find this?
An admin would need to log into the Fortinet firewall and manually check the current connection status. This information can also be provided via SNMP and logging.

fortios-fortianalyzer-connectivity-status

#! META
name: fortios-fortianalyzer-connectivity-status
description: Fortinet Firwall and FortiAnalyzer status information
type: monitoring
monitoring_interval: 15 minutes
requires:
    vendor: "fortinet"
    os.name: "FortiOS"
    product: "firewall"

# --------------------------------------------------------------------------------------------------
# The script publish the following metrics
#
# [fortios-analyzer-is-connected]     [0 | 1, 1 is when text is connected]
# [fortios-analyzer-disk-usage]       [0-100 percentage the disk usage]
# --------------------------------------------------------------------------------------------------

#! COMMENTS
fortios-analyzer-is-connected:
    why: |
        This metric is used to identify the connectivity status of the FortiGate device with the FortiAnalyzer. A
        FortiAnalyzer unit can log all FortiGate activity that is available for logging, including archiving. Check the
        link below for more information:
        https://docs.fortinet.com/uploaded/files/3421/logging-reporting-54.pdf
    how: |
        This script logs in to the FortiGate via SSH and retrieves the connectivity status with the FortiAnalyzer by
        using the FortiOS command "get system fortianalyzer-connectivity status". This command provides information
        about the connectivity status and disk usage of the FortiAnalyzer.
    without-indeni: |
        An admin would need to log into the Fortinet firewall and manually check the current connection status. This
        information can also be provided via SNMP and logging.
    can-with-snmp: true
    can-with-syslog: true

fortios-analyzer-disk-usage:
    why: |
        This metric is used to identify the remote disk usage (%) information with the FortiAnalyzer. A FortiAnalyzer
        unit can log all FortiGate activity that is available for logging, including archiving. Check the link below
        for more information:
        https://docs.fortinet.com/uploaded/files/3421/logging-reporting-54.pdf
    how: |
        This script logs into the FortiGate via SSH and retrieves the connectivity status with the FortiAnalyzer by
        using the FortiOS command "get system fortianalyzer-connectivity status". This command provides information
        about the connectivity status and disk usage of the FortiAnalyzer.
    without-indeni: |
        An admin would need to log into the Fortinet firewall and manually check the current disk usage status. This
        information can also be provided via SNMP and logging.
    can-with-snmp: false
    can-with-syslog: true


#! REMOTE::SSH
get system fortianalyzer-connectivity status

#! PARSER::AWK

#Status: connected
#Status: disable
/^Status: /{

    # Get the last word ('disable' or 'connected' in the example)
    connection_status = tolower($NF)
    is_connected = 0

    # Compare the connection_status set 1 if is 'connected' or 'up'
    if(connection_status == "connected" || connection_status == "up") {
        is_connected = 1
    }
}

# Parse disk usage.
# Note that in case of 'disabled'/(not connected) there is no disk usage line
#Disk Usage: 0%
/^Disk Usage:/{

    # The last word is the percentage. Removing the '%' character
    disk_percentage = $NF
    gsub("%", "", disk_percentage)

    disk_percentage = trim(disk_percentage)
}

END {
    # Publishing metrics in "FortiAnalyzer" category
    tags["name"] = "Connection to Analyzer"
    writeDoubleMetricWithLiveConfig("fortios-analyzer-is-connected", tags, "gauge", 300, is_connected , "FortiAnalyzer", "state", "name")

    tags["name"] = "Analyzer Disk usage"
    writeDoubleMetricWithLiveConfig("fortios-analyzer-disk-usage", tags, "gauge", 300, disk_percentage, "FortiAnalyzer", "percentage", "name")
}




FortinetFortiAnalyzerConnection

package com.indeni.server.rules.library.templatebased.fortinet

import com.indeni.server.rules.RuleContext
import com.indeni.server.rules.library.templates.StateDownTemplateRule
/**
  *
  */
case class FortinetFortiAnalyzerConnection() extends StateDownTemplateRule(
  ruleName = "FortinetFortiAnalyzerConnection",
  ruleFriendlyName = "Fortinet Devices: FortiAnalyzer not connected",
  ruleDescription = "A Fortinet firewall needs to keep a connection with a FortiAnalyzer, otherwise certain services, such as logging, might be impacted. Indeni will alert if the connection is down.",
  metricName = "fortios-analyzer-is-connected",
  applicableMetricTag = "name",
  alertItemsHeader = "Affected Connection",
  alertDescription = "The connection between the Fortinet firewall and the FortiAnalyzer is down",
  baseRemediationText =
    """|1. Login via ssh to the Fortinet firewall and run the FortiOS command “get fortianalyzer-connectivity status” to review the connection status and remote disk usage with the FortiAnalyzer unit.
       |2. Ensure that the correct log source has been selected in the Log Settings, under GUI Preferences of the Fortinet firewall.
       |3. Check the routing and test ping connectivity between the Fortinet Firewall and the FortiAnalyzer (if icmp is allowed).
       |4. Check that the TCP port 514 is allowed between the Fortinet firewall and the FortiAnalyzer. For more information check this link: http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-ports-and-protocols-54/FortiAnalyzer.htm#
       |5. Check that the DNS lookup on the Fortinet Firewall is operational in case that the FortiAnalyzer’s  FQDN needs to be resolved. Try to ping the FQDN of the FortiAnalyzer from the firewall.
       |6. Check if the firmware for the firewall and FortiAnalyzer units is compatible. Review the firmware release notes for the compatibility information.
       |7. If the problem persists, contact Fortinet Technical support at https://support.fortinet.com/ for further assistance.""".stripMargin
  )()

pinned #2